Is there something like OWASP for Network Security ? Or have anyone of you come across a testing guide for network security, as to how to start an audit and then the minimum number of tests to run and the tools to use ?

I am trying to put together a document and it seems that the number of tests to be performed are endless with a lot of combinations.

3 Answers
3

If you're looking for the equivalent of OWASP for network security then I'd suggest that testing methodologies like OSSTMM or PTES (although PTES is still rather incomplete), are a good place to look for information.

However as you say both of those will have a very large amount of information in them. This is really because network security is a less well-defined proposition when compared to web application security. It spans a wide range of topics (Unix OS security, Windows OS security, network devices, databases etc) so the range of checks needed to complete a thorough review is going to be a lot wider that it will for a single web application.

That said if you're looking for a basic set of checks for network security I'd recommend.

Port scanning of all hosts in the target networks to establish what services they offer

Vulnerability scanning of the open ports using a tool like Nessus or OpenVAS. Vulnerability scanners have a huge number of pre-programmed checks for common security issues so they're a good way to identify basic issues. Also if you provide credentials for them to authenticate to your servers they can do a more thorough job of checking things like patch levels

In addition to this I'd recommend checking all management interfaces for default credentials. This is a very common issue and one that is the cause of a lot of breaches. Doing this can be as simple as connecting to each one and trying common default combinations (e.g. admin/admin). You can also review documentation for the system under review to see if it mentions default accounts (they often do)

Whilst doing this won't find all the issues in a network, it's a good first step and if you can resolve all the issues raised from this sort of scan your network would be heading in the right direction from a security standpoint.

When you say you want an "Organization like OWASP for network security", I assume that you're looking for an organization that provides easily digestible free resources to give you good overviews of best practices, common threats, and countermeasures, as opposed to some set of products designed to help you achieve those goals.

The SANS Institute is just such an organization. They offer many paid training and resources, as well as some good free resources covering a wide range of security-related information.

One of the best resources for setting up good Network Security is the PCI DSS v3.0 guidelines. These are the Payment Card Industry Data Security Standards and are applied to organizations that store credit card data.